├── .bash_profile
├── .bashrc
├── .docker
├── .dockercfg
└── config.json
├── .esmtprc
├── .ftpconfig
├── .git-credentials
├── .gitattributes
├── .idea
└── WebServers.xml
├── .leaky-meta
├── ,gitignore
├── CHANGELOG.md
├── README.md
├── benchmark.py
├── benchmark.sh
├── benchmarking
│ ├── DETECT-SECRETS.md
│ ├── GITLEAKS.md
│ ├── GITROB.md
│ └── TRUFFLEHOG.md
├── install-test-tools.sh
├── secrets.csv
└── trufflehog_exclude_paths.txt
├── .mozilla
└── firefox
│ ├── cert9.db
│ ├── key4.db
│ └── logins.json
├── .netrc
├── .npmrc
├── .remote-sync.json
├── .ssh
├── id_rsa
└── id_rsa.pub
├── .vscode
└── sftp.json
├── LICENSE
├── README.md
├── cloud
├── .credentials
├── .s3cfg
├── .tugboat
└── heroku.json
├── config
├── db
├── .pgpass
├── dbeaver-data-sources.xml
├── dump.sql
├── mongoid.yml
└── robomongo.json
├── deployment-config.json
├── etc
└── shadow
├── filezilla
├── filezilla.xml
└── recentservers.xml
├── high-entropy-misc.txt
├── hub
├── misc-keys
├── cert-key.pem
└── putty-example.ppk
├── proftpdpasswd
├── sftp-config.json
├── ventrilo_srv.ini
└── web
├── django
└── settings.py
├── js
└── salesforce.js
├── ruby
├── config
│ └── master.key
└── secrets.yml
└── var
└── www
├── .env
└── public_html
├── .htpasswd
├── config.php
└── wp-config.php
/.bash_profile:
--------------------------------------------------------------------------------
1 | export PATH=$PATH:/usr/local/bin
2 |
3 | # Show git branch name in prompt
4 | source ~/.git-prompt.sh
5 | PS1="\[\033[01;34m\]\w\[\033[31m\]\$(__git_ps1)\[\033[00m\]\$ "
6 |
7 | if [ -f ~/.git-completion.bash ]; then
8 | . ~/.git-completion.bash
9 | fi
10 |
11 | export AWS_ACCESS_KEY_ID=yLryKGwcGc3ez9G8YAnjeYMQOc # Informative, can't be used w/o the secret key
12 | export AWS_SECRET_ACCESS_KEY=nAH2VzKrMrRjySLlt8HCdFU3tM2TUuUZgh39NX
13 | export AWS_DEFAULT_REGION='us-west-1' # Broad enough that it doesn't create risk by itself.
14 | export AWS_REGION=$AWS_DEFAULT_REGION
15 | export S3_REGION=$AWS_DEFAULT_REGION
16 | export S3_ACCESS_KEY_ID=$AWS_ACCESS_KEY_ID
17 | export S3_SECRET_ACCESS_KEY=$AWS_SECRET_ACCESS_KEY
18 | export S3_BUCKET=dummy_bucket-90i8985p # Informative, could contain sensitive info, but not necessarily.
19 | export RDS_HOST='fake-rds.jfduhij34u80.us-west-1.rds.amazonaws.com' # Informative, unlikely to be abused w/o password or key
20 | export RDS_PASSWORD='dummy-pass'
21 | export HEROKU_API_KEY='sampleHerokuKey'
22 | export HOMEBREW_GITHUB_API_TOKEN='51e61afee2c2667123fc9ed160a0a20b330c8f74'
23 | export SLACK_API_TOKEN='xoxp-858723095049-581481478633-908968721956-f16b85d1f73ef37c02323bf3fd537ea5'
24 | export MLAB_PASS='password123'
25 | export MLAB_URL='ds908452.mlab.com:25928' # Informative, needs pass
26 | export MLAB_DB='dum-231-h92' # Informative, requires access to server or SQLi
--------------------------------------------------------------------------------
/.bashrc:
--------------------------------------------------------------------------------
1 | # ~/.bashrc: executed by bash(1) for non-login shells.
2 | # see /usr/share/doc/bash/examples/startup-files (in the package bash-doc)
3 | # for examples
4 |
5 | # If not running interactively, don't do anything
6 | [ -z "$PS1" ] && return
7 |
8 | # don't put duplicate lines in the history. See bash(1) for more options
9 | # ... or force ignoredups and ignorespace
10 | HISTCONTROL=ignoredups:ignorespace
11 |
12 | # append to the history file, don't overwrite it
13 | shopt -s histappend
14 |
15 | # for setting history length see HISTSIZE and HISTFILESIZE in bash(1)
16 | HISTSIZE=1000
17 | HISTFILESIZE=2000
18 |
19 | # check the window size after each command and, if necessary,
20 | # update the values of LINES and COLUMNS.
21 | shopt -s checkwinsize
22 |
23 | # make less more friendly for non-text input files, see lesspipe(1)
24 | [ -x /usr/bin/lesspipe ] && eval "$(SHELL=/bin/sh lesspipe)"
25 |
26 | # set variable identifying the chroot you work in (used in the prompt below)
27 | if [ -z "$debian_chroot" ] && [ -r /etc/debian_chroot ]; then
28 | debian_chroot=$(cat /etc/debian_chroot)
29 | fi
30 |
31 | # set a fancy prompt (non-color, unless we know we "want" color)
32 | case "$TERM" in
33 | xterm-color) color_prompt=yes;;
34 | esac
35 |
36 | # uncomment for a colored prompt, if the terminal has the capability; turned
37 | # off by default to not distract the user: the focus in a terminal window
38 | # should be on the output of commands, not on the prompt
39 | #force_color_prompt=yes
40 |
41 | if [ -n "$force_color_prompt" ]; then
42 | if [ -x /usr/bin/tput ] && tput setaf 1 >&/dev/null; then
43 | # We have color support; assume it's compliant with Ecma-48
44 | # (ISO/IEC-6429). (Lack of such support is extremely rare, and such
45 | # a case would tend to support setf rather than setaf.)
46 | color_prompt=yes
47 | else
48 | color_prompt=
49 | fi
50 | fi
51 |
52 | if [ "$color_prompt" = yes ]; then
53 | PS1='${debian_chroot:+($debian_chroot)}\[\033[01;32m\]\u@\h\[\033[00m\]:\[\033[01;34m\]\w\[\033[00m\]\$ '
54 | else
55 | PS1='${debian_chroot:+($debian_chroot)}\u@\h:\w\$ '
56 | fi
57 | unset color_prompt force_color_prompt
58 |
59 | # If this is an xterm set the title to user@host:dir
60 | case "$TERM" in
61 | xterm*|rxvt*)
62 | PS1="\[\e]0;${debian_chroot:+($debian_chroot)}\u@\h: \w\a\]$PS1"
63 | ;;
64 | *)
65 | ;;
66 | esac
67 |
68 | # enable color support of ls and also add handy aliases
69 | if [ -x /usr/bin/dircolors ]; then
70 | test -r ~/.dircolors && eval "$(dircolors -b ~/.dircolors)" || eval "$(dircolors -b)"
71 | alias ls='ls --color=auto'
72 | #alias dir='dir --color=auto'
73 | #alias vdir='vdir --color=auto'
74 |
75 | alias grep='grep --color=auto'
76 | alias fgrep='fgrep --color=auto'
77 | alias egrep='egrep --color=auto'
78 | fi
79 |
80 | # some more ls aliases
81 | alias ll='ls -alF'
82 | alias la='ls -A'
83 | alias l='ls -CF'
84 |
85 | # Add an "alert" alias for long running commands. Use like so:
86 | # sleep 10; alert
87 | alias alert='notify-send --urgency=low -i "$([ $? = 0 ] && echo terminal || echo error)" "$(history|tail -n1|sed -e '\''s/^\s*[0-9]\+\s*//;s/[;&|]\s*alert$//'\'')"'
88 |
89 | # Alias definitions.
90 | # You may want to put all your additions into a separate file like
91 | # ~/.bash_aliases, instead of adding them here directly.
92 | # See /usr/share/doc/bash-doc/examples in the bash-doc package.
93 |
94 | if [ -f ~/.bash_aliases ]; then
95 | . ~/.bash_aliases
96 | fi
97 |
98 | # enable programmable completion features (you don't need to enable
99 | # this, if it's already enabled in /etc/bash.bashrc and /etc/profile
100 | # sources /etc/bash.bashrc).
101 | if [ -f /etc/bash_completion ] && ! shopt -oq posix; then
102 | . /etc/bash_completion
103 | fi
104 | export GMAIL_USERNAME="example@gmail.com" # Informative, can't be used by itself
105 | export GMAIL_PASSWORD="Pass!12345"
106 | export MAILCHIMP_API_KEY="38c47f19e349153fa963bb3b3212fe8e-us11"
107 | export MAILCHIMP_LIST_ID="606b868828" # Not positive, but pretty sure this isn't exploitable by itself. Open an issue if it is!
108 | export OWNER_EMAIL="example@gmail.com" # Informative, can't be used by itself
109 | export JEKYLL_GITHUB_TOKEN="c77e01c1e89682e4d4b94a059a7fd2b37ab326ed"
110 |
--------------------------------------------------------------------------------
/.docker/.dockercfg:
--------------------------------------------------------------------------------
1 | {
2 | "https://index.docker.io/v1/": {
3 | "email": "docker@example.com",
4 | "auth": "X3Rva2VuOjEyMzQuMThqZjg0MWZrbDQwYU90dTNrLXdCbDVuaThDM2Q0QVh0QjM2V2VqZzM4MDA2WlR5TDhUOWg5VXgrWWwzdTNVQ1hDWFZlWg"
5 | },
6 | "https://hub.docker.com/": {
7 | "email": "docker@example.com",
8 | "auth": "X3Rva2VuOjEyMzQuMThqZjg0MWZrbDQwYU90dTNrLXdCbDVuaThDM2Q0QVh0QjM2V2VqZzM4MDA2WlR5TDhUOWg5VXgrWWwzdTNVQ1hDWFZlWg"
9 | }
10 | }
--------------------------------------------------------------------------------
/.docker/config.json:
--------------------------------------------------------------------------------
1 | {
2 | "auths": {
3 | "https://index.docker.io/v1/": {
4 | "email": "docker@example.com",
5 | "auth": "X3Rva2VuOjEyMzQuMThqZjg0MWZrbDQwYU90dTNrLXdCbDVuaThDM2Q0QVh0QjM2V2VqZzM4MDA2WlR5TDhUOWg5VXgrWWwzdTNVQ1hDWFZlWg"
6 | },
7 | "https://hub.docker.com/": {
8 | "email": "docker@example.com",
9 | "auth": "X3Rva2VuOjEyMzQuMThqZjg0MWZrbDQwYU90dTNrLXdCbDVuaThDM2Q0QVh0QjM2V2VqZzM4MDA2WlR5TDhUOWg5VXgrWWwzdTNVQ1hDWFZlWg"
10 | }
11 | }
12 | }
--------------------------------------------------------------------------------
/.esmtprc:
--------------------------------------------------------------------------------
1 | identity "example@gmail.com"
2 | hostname smtp.gmail.com:587
3 | username "example@gmail.com"
4 | password "password"
5 | starttls required
--------------------------------------------------------------------------------
/.ftpconfig:
--------------------------------------------------------------------------------
1 | {
2 | "protocol": "sftp",
3 | "host": "example.com",
4 | "port": 22,
5 | "user": "root",
6 | "pass": "hunter22",
7 | "promptForPass": false,
8 | "remote": "/var/www",
9 | "local": "",
10 | "agent": "",
11 | "privatekey": "",
12 | "passphrase": "swordfish",
13 | "hosthash": "",
14 | "ignorehost": true,
15 | "connTimeout": 10000,
16 | "keepalive": 10000,
17 | "keyboardInteractive": false,
18 | "keyboardInteractiveForPass": false,
19 | "remoteCommand": "",
20 | "remoteShell": "",
21 | "watch": [],
22 | "watchTimeout": 500
23 | }
--------------------------------------------------------------------------------
/.git-credentials:
--------------------------------------------------------------------------------
1 | https://user@example.com:password!#@498@github.com
--------------------------------------------------------------------------------
/.gitattributes:
--------------------------------------------------------------------------------
1 | # This is not a secrets file but must be in the root directory.
2 | # 2010
3 | *.txt -crlf
4 |
5 | # 2020
6 | *.txt text eol=lf
--------------------------------------------------------------------------------
/.idea/WebServers.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
14 |
15 |
--------------------------------------------------------------------------------
/.leaky-meta/,gitignore:
--------------------------------------------------------------------------------
1 | *.toml
--------------------------------------------------------------------------------
/.leaky-meta/CHANGELOG.md:
--------------------------------------------------------------------------------
1 | # Changelog
2 | ## 1.1.1
3 | System/logic changes:
4 | * Added support for benchmarking gitleaks
5 | * Fixed up install and benchmark scripts
6 | * Added secret coverage percentage for benchmarks
7 |
8 | Changes to secrets:
9 | * Added a password value for robomongo
10 |
11 | ## 1.1.0
12 | System/logic changes:
13 | * Added system for automatically generating benchmarks
14 | * Added results for gitrob
15 | * Moved benchmarking, metadata, and source code into `.leaky-meta` folder
16 | * Added CSV with data about secrets
17 | * Categorized secrets into Risk and Informative.
18 | * Added results from Gitrob, provided by [@evilpacket](https://github.com/evilpacket)
19 |
20 | Changes to secrets:
21 | * Added password to `sftp.json` secret
22 | * Added pass to `filezilla/filezilla.xml` (was anonymous login)
23 | * Added realistic value to `hub` file (was just "oauth_token")
24 | * Set redis pass in `web/var/www/.env`
25 | ## 1.0.0
26 | * Initial release version
27 |
--------------------------------------------------------------------------------
/.leaky-meta/README.md:
--------------------------------------------------------------------------------
1 | ## .leaky-meta
2 | This folder is for scripts/tools designed to assist with the management of this repo. It won't contain actual secrets/patterns (hopefully!)
3 |
4 | ## Running benchmarks
5 | To run these benchmarks, use `benchmark.sh`. Currently generates reports for these engines:
6 | * TruffleHog
7 | * Detect-secrets
--------------------------------------------------------------------------------
/.leaky-meta/benchmark.py:
--------------------------------------------------------------------------------
1 | # For py2 compat
2 | from __future__ import division
3 | import os
4 | import csv
5 | import json
6 | import subprocess
7 | from io import StringIO
8 | from subprocess import PIPE
9 |
10 | def get_secret_counts():
11 | '''
12 | A generator for secrets in default files.
13 | :returns: filepath, risk_count, informative_count
14 | '''
15 | raw_csv = None
16 | with open('secrets.csv') as f:
17 | raw_csv = [l for l in f.readlines()
18 | if len(l.strip()) != 0 and not l.startswith('#')]
19 | # Parse array to CSV
20 | csv_reader = csv.reader(raw_csv, delimiter=',')
21 | for row in csv_reader:
22 | # Yield str, int, int.
23 | yield [row[0], int(row[1]), int(row[2])]
24 |
25 | def get_command_stdout(cmd, cwd='..'):
26 | os.path.abspath(cwd)
27 | p = subprocess.Popen(cmd, stdout=PIPE, stderr=PIPE, cwd=cwd)
28 | stdout, stderr = p.communicate()
29 | return stdout.decode('utf-8'), stderr.decode('utf-8') if stderr else None
30 |
31 | def get_secret_count_detectsecrets():
32 | finds = {}
33 | cmd = ['detect-secrets', 'scan']
34 | stdout, _ = get_command_stdout(cmd)
35 | results = json.loads(stdout).get('results')
36 | for key in results.keys():
37 | finds[key] = len(results.get(key))
38 |
39 | return cmd, finds
40 |
41 | def get_secret_count_gitleaks():
42 | finds = {}
43 | cmd = ['gitleaks', '--config=.leaky-meta/gitleaks-config.toml', '--report=.leaky-meta/gitleaks.json', '--repo-path', '.']
44 | stdout, stderr = get_command_stdout(cmd)
45 | with open('gitleaks.json') as f:
46 | data = json.load(f)
47 | for obj in data:
48 | filename = obj.get('file')
49 | if not filename in finds:
50 | finds[filename] = 0
51 | finds[filename] += 1
52 |
53 | # Clean up
54 | os.remove('gitleaks.json')
55 | return cmd, finds
56 |
57 | def get_secret_count_trufflehog():
58 | finds = {}
59 | trufflehog_cmd = ['trufflehog', '--json', '--regex', '.']
60 | stdout, _ = get_command_stdout(trufflehog_cmd)
61 | for line in stdout.split('\n'):
62 | if len(line) == 0:
63 | # Skip empty lines
64 | continue
65 | obj = json.loads(line)
66 | finds[obj.get('path')] = len(obj.get('stringsFound'))
67 |
68 | return trufflehog_cmd, finds
69 |
70 | def build_markdown_rows(secrets_function, expected_counts):
71 | dat = {}
72 | cmd, secrets = secrets_function()
73 | for row in expected_counts:
74 | name = row[0]
75 | expected = row[1] + row[2]
76 | if not name in secrets:
77 | dat[name] = {'name': name, 'found': 0, 'expected': expected, 'false_positives' :0 }
78 | continue
79 |
80 | found = secrets[name]
81 | # If found > expected, we have false positives. This will be negative or zero of there's no false positives.
82 | false_positives = found - expected
83 | # This will be zero or positive.
84 | false_positives = max(false_positives, 0)
85 | dat[name] = {'name': name, 'found': found, 'expected': expected, 'false_positives' :false_positives }
86 | return cmd, dat
87 |
88 | def build_table_header(filename_cols):
89 | template = 'File Name{}| Found/Total | False Positives |\n{}|----------------|-----------------|\n'
90 | # 9 = len('File Name')
91 | return template.format(' ' * (filename_cols - 9), '-' * filename_cols)
92 |
93 | def build_md_table(secrets_function):
94 | # {name}{padding}| {found}/{total} |{false positives}
95 | print_template = '{}{}| {}/{} | {}\n'
96 |
97 | expected_counts = [x for x in get_secret_counts()]
98 | # Get the max length of a filename, so we can put a column seperator after it
99 | sep_col = max([len(val[0]) for val in expected_counts]) + 2
100 | out = build_table_header(sep_col)
101 | total_files = len(expected_counts)
102 |
103 | cmd_used, md_rows = build_markdown_rows(secrets_function, expected_counts)
104 | md_rows = sorted(md_rows.items(), key=lambda val: -val[1]['found'])
105 | total_finds = 0
106 | total_expected = 0
107 | total_false_positives = 0
108 | files_covered = 0
109 | for dat in md_rows:
110 | obj = dat[1]
111 | name = obj.get('name')
112 | found = obj.get('found')
113 | expected = obj.get('expected')
114 | false_positives = obj.get('false_positives')
115 |
116 | # Determine right padding for name column
117 | right_padding = sep_col - len(name)
118 | right_padding_str = (' ' * right_padding)
119 |
120 | # For metrics we exclude false positives.
121 | total_finds += found - false_positives
122 | total_expected += expected
123 | total_false_positives += false_positives
124 | if found != 0:
125 | files_covered += 1
126 |
127 | out += print_template.format(name, right_padding_str, found, expected, false_positives)
128 | return cmd_used, total_files, files_covered, total_finds, total_expected, total_false_positives, out
129 |
130 | def build_md(secrets_function, tool_url):
131 | header_fmt = 'Tool: {} ' \
132 | '\nCommand Used: `{}` ' \
133 | '\nFiles covered: {}/{} ({}% coverage) ' \
134 | '\nTotal finds: {}/{} ({}% coverage) ' \
135 | '\nFalse Positives: {} ' \
136 | '\n\n{}'
137 |
138 | cmd, total_files, files_covered, total_finds, \
139 | total_expected, false_positives, table = build_md_table(secrets_function)
140 | # Convert cmd to a string
141 | cmd = ' '.join(cmd)
142 |
143 | # Get a % coverage value
144 | file_coverage = (files_covered / total_files) * 100
145 |
146 | find_coverage = (total_finds / total_expected) * 100
147 |
148 | # Sanity!
149 | file_coverage = round(file_coverage, 2)
150 | find_coverage = round(find_coverage, 2)
151 | out = header_fmt.format(tool_url, cmd,
152 | files_covered, total_files, file_coverage,
153 | total_finds, total_expected, find_coverage,
154 | false_positives, table)
155 | return out
156 |
157 | if __name__ == '__main__':
158 | detect_secrets = build_md(get_secret_count_detectsecrets, 'https://github.com/Yelp/detect-secrets')
159 | truffle_hog = build_md(get_secret_count_trufflehog, 'https://github.com/dxa4481/truffleHog')
160 | gitleaks = build_md(get_secret_count_gitleaks, 'https://github.com/zricethezav/gitleaks')
161 | with open('benchmarking' + os.path.sep + 'TRUFFLEHOG.md', 'w+') as f:
162 | f.write(truffle_hog)
163 | with open('benchmarking' + os.path.sep + 'DETECT-SECRETS.md', 'w+') as f:
164 | f.write(detect_secrets)
165 | with open('benchmarking' + os.path.sep + 'GITLEAKS.md', 'w+') as f:
166 | f.write(gitleaks)
167 |
--------------------------------------------------------------------------------
/.leaky-meta/benchmark.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | source ./install-test-tools.sh
3 | python benchmark.py
--------------------------------------------------------------------------------
/.leaky-meta/benchmarking/DETECT-SECRETS.md:
--------------------------------------------------------------------------------
1 | Tool: https://github.com/Yelp/detect-secrets
2 | Command Used: `detect-secrets scan`
3 | Files covered: 23/44 (52.27% coverage)
4 | Total finds: 41/175 (23.43% coverage)
5 | False Positives: 0
6 |
7 | File Name | Found/Total | False Positives |
8 | ---------------------------------------|----------------|-----------------|
9 | .mozilla/firefox/logins.json | 6/28 | 0
10 | .bash_profile | 4/11 | 0
11 | .bashrc | 3/6 | 0
12 | web/ruby/secrets.yml | 3/3 | 0
13 | web/var/www/.env | 3/10 | 0
14 | cloud/.credentials | 2/4 | 0
15 | cloud/heroku.json | 2/2 | 0
16 | high-entropy-misc.txt | 2/2 | 0
17 | ventrilo_srv.ini | 2/2 | 0
18 | .docker/.dockercfg | 1/4 | 0
19 | .docker/config.json | 1/4 | 0
20 | .ssh/id_rsa | 1/1 | 0
21 | cloud/.tugboat | 1/3 | 0
22 | db/mongoid.yml | 1/1 | 0
23 | misc-keys/cert-key.pem | 1/1 | 0
24 | misc-keys/putty-example.ppk | 1/2 | 0
25 | hub | 1/2 | 0
26 | web/var/www/public_html/config.php | 1/4 | 0
27 | deployment-config.json | 1/4 | 0
28 | .remote-sync.json | 1/3 | 0
29 | .vscode/sftp.json | 1/4 | 0
30 | sftp-config.json | 1/4 | 0
31 | .idea/WebServers.xml | 1/2 | 0
32 | .ssh/id_rsa.pub | 0/1 | 0
33 | cloud/.s3cfg | 0/3 | 0
34 | db/dump.sql | 0/10 | 0
35 | etc/shadow | 0/1 | 0
36 | filezilla/recentservers.xml | 0/6 | 0
37 | filezilla/filezilla.xml | 0/3 | 0
38 | proftpdpasswd | 0/1 | 0
39 | web/ruby/config/master.key | 0/1 | 0
40 | .npmrc | 0/3 | 0
41 | web/var/www/public_html/wp-config.php | 0/12 | 0
42 | web/var/www/public_html/.htpasswd | 0/1 | 0
43 | .git-credentials | 0/1 | 0
44 | db/robomongo.json | 0/7 | 0
45 | web/js/salesforce.js | 0/1 | 0
46 | .netrc | 0/2 | 0
47 | config | 0/4 | 0
48 | db/.pgpass | 0/1 | 0
49 | db/dbeaver-data-sources.xml | 0/1 | 0
50 | .esmtprc | 0/3 | 0
51 | web/django/settings.py | 0/1 | 0
52 | .ftpconfig | 0/5 | 0
53 |
--------------------------------------------------------------------------------
/.leaky-meta/benchmarking/GITLEAKS.md:
--------------------------------------------------------------------------------
1 | Tool: https://github.com/zricethezav/gitleaks
2 | Command Used: `gitleaks --config=.leaky-meta/gitleaks-config.toml --report=.leaky-meta/gitleaks.json --repo-path .`
3 | Files covered: 40/44 (90.91% coverage)
4 | Total finds: 127/175 (72.57% coverage)
5 | False Positives: 17
6 |
7 | File Name | Found/Total | False Positives |
8 | ---------------------------------------|----------------|-----------------|
9 | web/var/www/.env | 14/10 | 4
10 | web/var/www/public_html/wp-config.php | 14/12 | 2
11 | .mozilla/firefox/logins.json | 13/28 | 0
12 | .bash_profile | 12/11 | 1
13 | db/dump.sql | 10/10 | 0
14 | db/robomongo.json | 7/7 | 0
15 | .vscode/sftp.json | 7/4 | 3
16 | cloud/.credentials | 6/4 | 2
17 | web/var/www/public_html/config.php | 4/4 | 0
18 | .bashrc | 3/6 | 0
19 | config | 3/4 | 0
20 | db/dbeaver-data-sources.xml | 3/1 | 2
21 | .esmtprc | 3/3 | 0
22 | deployment-config.json | 3/4 | 0
23 | sftp-config.json | 3/4 | 0
24 | .idea/WebServers.xml | 3/2 | 1
25 | .docker/.dockercfg | 2/4 | 0
26 | .docker/config.json | 2/4 | 0
27 | cloud/heroku.json | 2/2 | 0
28 | filezilla/recentservers.xml | 2/6 | 0
29 | high-entropy-misc.txt | 2/2 | 0
30 | .git-credentials | 2/1 | 1
31 | web/js/salesforce.js | 2/1 | 1
32 | .netrc | 2/2 | 0
33 | hub | 2/2 | 0
34 | ventrilo_srv.ini | 2/2 | 0
35 | .ftpconfig | 2/5 | 0
36 | .remote-sync.json | 2/3 | 0
37 | .ssh/id_rsa | 1/1 | 0
38 | .ssh/id_rsa.pub | 1/1 | 0
39 | cloud/.tugboat | 1/3 | 0
40 | db/mongoid.yml | 1/1 | 0
41 | etc/shadow | 1/1 | 0
42 | filezilla/filezilla.xml | 1/3 | 0
43 | misc-keys/cert-key.pem | 1/1 | 0
44 | proftpdpasswd | 1/1 | 0
45 | web/ruby/config/master.key | 1/1 | 0
46 | .npmrc | 1/3 | 0
47 | web/var/www/public_html/.htpasswd | 1/1 | 0
48 | db/.pgpass | 1/1 | 0
49 | cloud/.s3cfg | 0/3 | 0
50 | misc-keys/putty-example.ppk | 0/2 | 0
51 | web/ruby/secrets.yml | 0/3 | 0
52 | web/django/settings.py | 0/1 | 0
53 |
--------------------------------------------------------------------------------
/.leaky-meta/benchmarking/GITROB.md:
--------------------------------------------------------------------------------
1 |
2 | Tool: https://github.com/michenriksen/gitrob
3 | Command Used: `gitrob (web interface)`
4 | Files covered: 2/44 (4.54% coverage)
5 | Total finds: 3/179 (1.67% coverage)
6 | False Positives: 0
7 |
8 | File Name | Found/Total | False Positives |
9 | ---------------------------------------|----------------|-----------------|
10 | misc-keys/cert-key.pem | 1/1 | 0
11 | .npmrc | 2/3 | 0
12 | .mozilla/firefox/logins.json | 0/28 | 0
13 | .bash_profile | 0/11 | 0
14 | .bashrc | 0/6 | 0
15 | web/var/www/.env | 0/10 | 0
16 | web/ruby/secrets.yml | 0/3 | 0
17 | cloud/.credentials | 0/4 | 0
18 | cloud/heroku.json | 0/2 | 0
19 | high-entropy-misc.txt | 0/2 | 0
20 | ventrilo_srv.ini | 0/2 | 0
21 | .ssh/id_rsa | 0/1 | 0
22 | db/mongoid.yml | 0/1 | 0
23 | cloud/.tugboat | 0/3 | 0
24 | .vscode/sftp.json | 0/4 | 0
25 | hub | 0/2 | 0
26 | .docker/config.json | 0/6 | 0
27 | sftp-config.json | 0/4 | 0
28 | .idea/WebServers.xml | 0/2 | 0
29 | misc-keys/putty-example.ppk | 0/2 | 0
30 | .docker/.dockercfg | 0/6 | 0
31 | web/var/www/public_html/config.php | 0/4 | 0
32 | .remote-sync.json | 0/3 | 0
33 | deployment-config.json | 0/4 | 0
34 | db/.pgpass | 0/1 | 0
35 | web/var/www/public_html/.htpasswd | 0/1 | 0
36 | .netrc | 0/2 | 0
37 | db/dump.sql | 0/10 | 0
38 | proftpdpasswd | 0/1 | 0
39 | etc/shadow | 0/1 | 0
40 | .ssh/id_rsa.pub | 0/1 | 0
41 | web/var/www/public_html/wp-config.php | 0/12 | 0
42 | web/django/settings.py | 0/1 | 0
43 | .ftpconfig | 0/5 | 0
44 | .git-credentials | 0/1 | 0
45 | filezilla/filezilla.xml | 0/3 | 0
46 | .esmtprc | 0/3 | 0
47 | db/dbeaver-data-sources.xml | 0/1 | 0
48 | web/ruby/config/master.key | 0/1 | 0
49 | cloud/.s3cfg | 0/3 | 0
50 | config | 0/4 | 0
51 | web/js/salesforce.js | 0/1 | 0
52 | filezilla/recentservers.xml | 0/6 | 0
53 | db/robomongo.json | 0/7 | 0
54 |
--------------------------------------------------------------------------------
/.leaky-meta/benchmarking/TRUFFLEHOG.md:
--------------------------------------------------------------------------------
1 | Tool: https://github.com/dxa4481/truffleHog
2 | Command Used: `trufflehog --json --regex .`
3 | Files covered: 23/44 (52.27% coverage)
4 | Total finds: 40/175 (22.86% coverage)
5 | False Positives: 43
6 |
7 | File Name | Found/Total | False Positives |
8 | ---------------------------------------|----------------|-----------------|
9 | misc-keys/cert-key.pem | 25/1 | 24
10 | misc-keys/putty-example.ppk | 21/2 | 19
11 | db/dump.sql | 8/10 | 0
12 | web/ruby/secrets.yml | 3/3 | 0
13 | .docker/.dockercfg | 2/4 | 0
14 | .docker/config.json | 2/4 | 0
15 | .mozilla/firefox/logins.json | 2/28 | 0
16 | cloud/.credentials | 2/4 | 0
17 | cloud/.tugboat | 2/3 | 0
18 | filezilla/recentservers.xml | 2/6 | 0
19 | high-entropy-misc.txt | 2/2 | 0
20 | .bash_profile | 1/11 | 0
21 | .bashrc | 1/6 | 0
22 | .ssh/id_rsa | 1/1 | 0
23 | .ssh/id_rsa.pub | 1/1 | 0
24 | cloud/.s3cfg | 1/3 | 0
25 | cloud/heroku.json | 1/2 | 0
26 | db/mongoid.yml | 1/1 | 0
27 | etc/shadow | 1/1 | 0
28 | proftpdpasswd | 1/1 | 0
29 | web/ruby/config/master.key | 1/1 | 0
30 | web/var/www/.env | 1/10 | 0
31 | hub | 1/2 | 0
32 | filezilla/filezilla.xml | 0/3 | 0
33 | .npmrc | 0/3 | 0
34 | web/var/www/public_html/wp-config.php | 0/12 | 0
35 | web/var/www/public_html/.htpasswd | 0/1 | 0
36 | .git-credentials | 0/1 | 0
37 | db/robomongo.json | 0/7 | 0
38 | web/js/salesforce.js | 0/1 | 0
39 | .netrc | 0/2 | 0
40 | config | 0/4 | 0
41 | db/.pgpass | 0/1 | 0
42 | ventrilo_srv.ini | 0/2 | 0
43 | web/var/www/public_html/config.php | 0/4 | 0
44 | db/dbeaver-data-sources.xml | 0/1 | 0
45 | .esmtprc | 0/3 | 0
46 | web/django/settings.py | 0/1 | 0
47 | deployment-config.json | 0/4 | 0
48 | .ftpconfig | 0/5 | 0
49 | .remote-sync.json | 0/3 | 0
50 | .vscode/sftp.json | 0/4 | 0
51 | sftp-config.json | 0/4 | 0
52 | .idea/WebServers.xml | 0/2 | 0
53 |
--------------------------------------------------------------------------------
/.leaky-meta/install-test-tools.sh:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env bash
2 |
3 | if ! type "pip" > /dev/null
4 | then
5 | echo "Pip and Python are required for installing detect-secrets and truffleHog, but pip was not found!"
6 | exit 1
7 | fi
8 |
9 | mkdir -p ~/.local/bin
10 | if ! type "gitleaks" > /dev/null; then
11 | latest=$(curl -s https://api.github.com/repos/zricethezav/gitleaks/releases/latest |grep "browser_download_url.*linux-amd64" |cut -d : -f 2,3 | tr -d '"')
12 | wget $latest -O ~/.local/bin/gitleaks
13 | chmod +x ~/.local/bin/gitleaks
14 | fi
15 | wget https://raw.githubusercontent.com/zricethezav/gitleaks/master/examples/leaky-repo.toml -O gitleaks-config.toml
16 |
17 | pip install detect-secrets truffleHog
18 |
--------------------------------------------------------------------------------
/.leaky-meta/secrets.csv:
--------------------------------------------------------------------------------
1 | #########################################################################################################
2 | # We break secrets into two categories, "risk" and "informative".
3 | # Lines that are "risk" presents an actual risk, "informative" discloses potentially sensitive or useful information.
4 | # The CSV counts any line containing risk as "Risk", and lines with Informatives as "Informative".
5 | # Lines with both risk and informative are treated as a single line of risk to simplify counting.
6 | # Lines with multiple risks or informatives are still counted as 1.
7 | #########################################################################################################
8 | # name,num_risk,num_informative
9 | .bash_profile,6,5
10 | .bashrc,3,3
11 |
12 | # Here the users are informative, the auth is risk.
13 | # The URLs may be informative in rare cases, but will likely
14 | # just be docker hub in most cases.
15 | .docker/.dockercfg,2,2
16 | # Same as above
17 | .docker/config.json,2,2
18 |
19 | # For all 4 firefox profiles:
20 | # Risk: encryptedUsername, encryptedPassword
21 | # Informative: hostname, timeCreated, timeLastUsed, timePasswordChanged, timesUsed
22 | .mozilla/firefox/logins.json,8,20
23 | .ssh/id_rsa,1,0
24 | .ssh/id_rsa.pub,0,1
25 | cloud/.credentials,2,2
26 | cloud/.s3cfg,1,2
27 | cloud/.tugboat,1,2
28 | cloud/heroku.json,1,1
29 | db/dump.sql,10,0
30 | db/mongoid.yml,1,0
31 | etc/shadow,1,0
32 | filezilla/recentservers.xml,3,3
33 | filezilla/filezilla.xml,2,1
34 | high-entropy-misc.txt,0,2
35 | misc-keys/cert-key.pem,1,0
36 |
37 | # Putty has both public and private keys
38 | misc-keys/putty-example.ppk,1,1
39 | proftpdpasswd,1,0
40 | web/ruby/config/master.key,1,0
41 | web/ruby/secrets.yml,3,0
42 | web/var/www/.env,6,4
43 | .npmrc,2,1
44 | web/var/www/public_html/wp-config.php,9,3
45 | web/var/www/public_html/.htpasswd,1,0
46 | .git-credentials,1,0
47 |
48 | # Risk: userPassword, sshPassphrase, sshUserPassword
49 | # Informative: serverHost, sshHost, sshUserName, userName
50 | db/robomongo.json,3,4
51 | web/js/salesforce.js,1,0
52 | .netrc,2,0
53 | hub,1,1
54 | config,1,3
55 | db/.pgpass,1,0
56 | ventrilo_srv.ini,2,0
57 | web/var/www/public_html/config.php,1,3
58 | db/dbeaver-data-sources.xml,1,0
59 |
60 | # Risk: password
61 | # Informative: hostname, username
62 | .esmtprc,2,1
63 | web/django/settings.py,1,0
64 |
65 | # Risk: password
66 | # Informative: host, username, remotePath
67 | deployment-config.json,3,1
68 |
69 | # Risk: password, passphrase (for private key)
70 | # Informative: host, user, remote
71 | .ftpconfig,3,2
72 |
73 | # Risk: password
74 | # Informative: hostname, username
75 | .remote-sync.json,1,2
76 |
77 | # Risk: password
78 | # Informative: host, remotePath, username
79 | .vscode/sftp.json,1,3
80 |
81 | # Risk: password
82 | # Informative: host, remote_path, user
83 | sftp-config.json,1,3
84 |
85 | # Risk: fileTransfer password
86 | # Informative: webServer name+url
87 | .idea/WebServers.xml,1,1
--------------------------------------------------------------------------------
/.leaky-meta/trufflehog_exclude_paths.txt:
--------------------------------------------------------------------------------
1 | .leaky-meta/
--------------------------------------------------------------------------------
/.mozilla/firefox/cert9.db:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Plazmaz/leaky-repo/2e951359cac53addbee56437da3ffb546e3dfe24/.mozilla/firefox/cert9.db
--------------------------------------------------------------------------------
/.mozilla/firefox/key4.db:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Plazmaz/leaky-repo/2e951359cac53addbee56437da3ffb546e3dfe24/.mozilla/firefox/key4.db
--------------------------------------------------------------------------------
/.mozilla/firefox/logins.json:
--------------------------------------------------------------------------------
1 | {
2 | "nextId": 6,
3 | "logins": [
4 | {
5 | "id": 2,
6 | "hostname": "https://github.com",
7 | "httpRealm": null,
8 | "formSubmitURL": "https://github.com",
9 | "usernameField": "login",
10 | "passwordField": "password",
11 | "encryptedUsername": "MDoEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcECDAMJYvxVWmNBBAYOR+4wZeLSB7kqJ/GDhj3",
12 | "encryptedPassword": "MDoEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcECBQ0N0EftdcPBBD9CaBvRSe9MhhqBjbd3UG8",
13 | "guid": "{749a98c7-c83e-4033-aafc-647f562b7166}",
14 | "encType": 1,
15 | "timeCreated": 1515902314887,
16 | "timeLastUsed": 1515902314887,
17 | "timePasswordChanged": 1515902314887,
18 | "timesUsed": 1
19 | },
20 | {
21 | "id": 3,
22 | "hostname": "https://github.com",
23 | "httpRealm": null,
24 | "formSubmitURL": "https://github.com",
25 | "usernameField": "login",
26 | "passwordField": "password",
27 | "encryptedUsername": "MDIEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcECF7kv84cNrhKBAgHD6N4RU01Tg==",
28 | "encryptedPassword": "MDoEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcECBUufYeWbuziBBAraNDREdVus+piXPZaR/Ym",
29 | "guid": "{3946cc16-e11a-48e7-8128-7ccfe76497a2}",
30 | "encType": 1,
31 | "timeCreated": 1515902330602,
32 | "timeLastUsed": 1515902330602,
33 | "timePasswordChanged": 1515902330602,
34 | "timesUsed": 1
35 | },
36 | {
37 | "id": 4,
38 | "hostname": "https://github.com",
39 | "httpRealm": null,
40 | "formSubmitURL": "https://github.com",
41 | "usernameField": "login",
42 | "passwordField": "password",
43 | "encryptedUsername": "MDoEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcECJzC0s27eOVuBBAaivvk2xSAcu3VP6oAkODX",
44 | "encryptedPassword": "MFIEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcECNa3fxQUbhzwBCjyWS8Qx2UiUcoq3nvLmPXWtc4bdm88HLfIMTGJcM7WvDALDHdWIAwY",
45 | "guid": "{f2242a97-e40a-4540-a3f9-d6135326d76a}",
46 | "encType": 1,
47 | "timeCreated": 1515902347570,
48 | "timeLastUsed": 1515902347570,
49 | "timePasswordChanged": 1515902347570,
50 | "timesUsed": 1
51 | },
52 | {
53 | "id": 5,
54 | "hostname": "https://github.com",
55 | "httpRealm": null,
56 | "formSubmitURL": "https://github.com",
57 | "usernameField": "login",
58 | "passwordField": "password",
59 | "encryptedUsername": "MDIEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcECJXdeSs0MeMMBAhRbgoUvJ9GJA==",
60 | "encryptedPassword": "MFoEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcECCSrh9ud0IorBDA4ncCjHIDjDlUIliEvJ7at4r2M68qLKFHTGEsiUkRJjRJ0ir6Zy59rKq4EtVnrzMI=",
61 | "guid": "{48dc6764-a352-4e7d-af8a-b3605ef86cce}",
62 | "encType": 1,
63 | "timeCreated": 1515902367721,
64 | "timeLastUsed": 1515902367721,
65 | "timePasswordChanged": 1515902367721,
66 | "timesUsed": 1
67 | }
68 | ],
69 | "disabledHosts": [],
70 | "version": 2
71 | }
--------------------------------------------------------------------------------
/.netrc:
--------------------------------------------------------------------------------
1 | machine imap.gmail.com login example@gmail.com password pass123
2 | machine smtp.gmail.com login example@gmail.com password pass123
--------------------------------------------------------------------------------
/.npmrc:
--------------------------------------------------------------------------------
1 | registry="https://registry.npmjs.org/"
2 | always-auth=true
3 | package-lock=false
4 | # Informative
5 | email=dummy@example.com
6 | # Risk
7 | _auth = YWRtaW46YWRtaW4=
8 | # Risk
9 | //registry.npmjs.org/:_authToken=26dfe8d8-889b-4380-92ff-9c3c6ea5d930
10 |
--------------------------------------------------------------------------------
/.remote-sync.json:
--------------------------------------------------------------------------------
1 | {
2 | "logger": {
3 | "title": "Remote Sync"
4 | },
5 | "transport": "ftp",
6 | "uploadOnSave": false,
7 | "useAtomicWrites": false,
8 | "deleteLocal": false,
9 | "hostname": "example.com",
10 | "ignore": [
11 | ".remote-sync.json",
12 | ".git/**"
13 | ],
14 | "watch": [],
15 | "target": "/var/www",
16 | "username": "root",
17 | "password": "hunter22"
18 | }
--------------------------------------------------------------------------------
/.ssh/id_rsa:
--------------------------------------------------------------------------------
1 | -----BEGIN RSA PRIVATE KEY-----
2 | MIIEogIBAAKCAQEAjosMtDUqbE1/8zxZac1t8fkh2SxGuMXHk9yxniyM2m76donW
3 | GcbdgKgLQfoL67Pi3M3Hatsk7SCxXsZiYr6cXOtJq70VM53rr3cxO3JwKCbJ985D
4 | U0juGTK6j13kdGpYl3J/8ZBJWpMzDA8J5TUslHBzox1cww2R+TkqoaoYSEKiXZAN
5 | Vlg8TPplRMEZCk4IpswUk+8IMSmn+ci3+wJaoaNcxwr5IratyIvKuypOCKxZvlfD
6 | pOiHJjew0sacwc0FK8vv4s63wmPLkCrS1BzLLD7ihjxM4lJ2/mBdYSeXme/JN9n4
7 | x0RyT82qhkbiijAo7StiWJpFikqPdT2m5d3JoQIDAQABAoIBAFp9Iz9zUM8YE9XR
8 | xeFIrDckNLytQughhiTzwT3sgi5YrV96+RO8DvmRtDPaDJ9Avw/1Aldvbu2qB29m
9 | +SY+Yv0J0ObZThBKfEgTnoliiJi0pxpNMqg4cA5HCe/hZxoQONVLtrUfJ7H8KDfL
10 | hDihnP9Os9ok1bJtdvGDvPCMDoYv9EgiRP0Kk0k261JGfk7wz2gooj4FNkeHie70
11 | oybto+xZ8ciJm1qKM+oR+AuRLPxICfwVIIvYpJKerGCtZEg4oLn2twUF1tLESYTm
12 | YujMhcXp1HzHfU+9D5vVcOM5BzCXvkf7xNW/PJQoMLTup0Jt51rpydkCICcC8fOm
13 | HGufKFECgYEAxI9ryi6sprrv8MyC1YzO5cLN7PA6MOCnGf4Rwt+MPg5jqMIfJuVI
14 | PBu48X03gYi6QWIWtBumg3lzg7RB4mGQa8qFRttpaikTN0Srt2mYCPAOjc85RXhj
15 | tv1r74l6C1AwVJvInhd20n5lrlGZE5O26uwBMVbHaXGKnMJABXyBX9MCgYEAuaXu
16 | 0g/4eSsYeyg3ErLKCztFMqZX5oVRfeuTzA4wqScJ3IRYtby4ammeVgVB0+yIMi29
17 | snfl+9PuJcndCJxcWBce1JIom73SQ3VdJG3xe7QuAKU3fbVuRint1A5nzfIVNtUo
18 | Sd3g23vSbmDv5Kow0dmUfYlRiSsd3YpnSzTD/DsCgYAVxXj/9PmEojIPbueS9by4
19 | 8EHU26rmXQvFMkIPXqlu+jMJry66JS1CEyQCA4eRXm6a7V1sZ5+i8mHcFawygfH4
20 | Ln9ioMzlSFVrirymXRjM7KIADRLf4fzRePJqnsSY2jHwPS0Uba7ok715eGpHI9Zf
21 | 4PIk3+LIiB39TPrAYNEHpwKBgCdlCcezseNsfLZtszoZjHxTqHx2BgMZ2VAiNGvB
22 | uxu5+AK+ZuCx2mRiY0IXvX9OGxyizjVX8gq9TzTfoDLak1HyHg23sjxSTJMaDZjU
23 | Z8D7XCOw65SWcn8bGKe+ItL2AwBuvSznk3af0OixU1avssplJHh7Mj0sVBsV6pNv
24 | 8ALPAoGASGSMbabnNdRK/dikfOhtDiIgkSL0uUPi3zE3mNHc3AESoniOLN+YHeLZ
25 | 3UA/fSVL7T624+QNFufE+JUYkC4fY+esyO9rb0HuBoCltKPVYyjbtxavd0mKhZih
26 | j3gOxj3Iqf7hzGsf8is6ACD0Gqv0NX4NgrG5s0RVSoA3/2fWIDE=
27 | -----END RSA PRIVATE KEY-----
--------------------------------------------------------------------------------
/.ssh/id_rsa.pub:
--------------------------------------------------------------------------------
1 | ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCOiwy0NSpsTX/zPFlpzW3x+SHZLEa4xceT3LGeLIzabvp2idYZxt2AqAtB+gvrs+Lczcdq2yTtILFexmJivpxc60mrvRUzneuvdzE7cnAoJsn3zkNTSO4ZMrqPXeR0aliXcn/xkElakzMMDwnlNSyUcHOjHVzDDZH5OSqhqhhIQqJdkA1WWDxM+mVEwRkKTgimzBST7wgxKaf5yLf7Alqho1zHCvkitq3Ii8q7Kk4IrFm+V8Ok6IcmN7DSxpzBzQUry+/izrfCY8uQKtLUHMssPuKGPEziUnb+YF1hJ5eZ78k32fjHRHJPzaqGRuKKMCjtK2JYmkWKSo91Pabl3cmh
--------------------------------------------------------------------------------
/.vscode/sftp.json:
--------------------------------------------------------------------------------
1 | {
2 | "protocol": "sftp",
3 | "host": "example.com",
4 | "remotePath": "/var/www",
5 | "username": "root",
6 | "password": "swordfish!23"
7 | }
--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
1 | MIT License
2 |
3 | Copyright (c) 2019 Dylan Katz
4 |
5 | Permission is hereby granted, free of charge, to any person obtaining a copy
6 | of this software and associated documentation files (the "Software"), to deal
7 | in the Software without restriction, including without limitation the rights
8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 |
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 |
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # Leaky Repo 🚿
2 |
3 | ## Table of contents
4 | * [FAQ](#FAQ)
5 | * [Secrets](#Secrets)
6 | * [Results](#Results)
7 | * [Changelog](#Changelog)
8 | * [Contact](#Contact)
9 |
10 | # FAQ
11 | ## What is this?
12 | This is a repo full of mistakes. I will include several of the secrets I've seen commonly leaking from real projects. It will be useful for testing scanning tools such as [github-dorks](https://github.com/techgaun/github-dorks) and [truffleHog](https://github.com/dxa4481/truffleHog).
13 |
14 | ## Where did you get these?
15 | It's worth noting that none of the secrets here are real. They are all things I've seen before, but I've randomized or redacted all of the actual data. The vast majority of secrets will likely be taken from patterns created for github-dorks, which are primarily taken from config files for popular services. I've also worked on several scanning tools in the past. Most notably, github-dorks, [PasteHunter](https://github.com/kevthehermit/PasteHunter), [github-dorks](https://github.com/techgaun/github-dorks), as well as [GHScraper](https://github.com/Plazmaz/GHScraper), and several other non-public or unreleased scanners. Essentially, I've seen a **lot** of whoopsies on git, which will also be included.
16 |
17 | ## Why did you make this repo?
18 | This repo was made to serve as a benchmark for secrets scanners. Repo scanning tools have varying levels of coverage, and so far the go-to option has been "slam a bunch together". This repo is also partially to test my theory that this technique still isn't really sufficient. Regardless, you can't _just_ scan for high entropy, and you can't _just_ scan for patterns, you need to do both!
19 |
20 | ## How can I avoid uploading these secrets?
21 | I've written a blog post on [Why We Fail at Keeping Git Secrets](https://dylankatz.com/Why-We-Fail-At-Keeping-Git-Secrets/?utm_source=leaky_repo). If you truly want to keep your secrets safe, seperate them from your repo. If that's a config file, that's fine. If it's a secrets management/storage system, that's even better. As long as you can stop git from adding that information by default, you're unlikely to hit any problems.
22 |
23 | # Secrets
24 | Filename | Description
25 | ------------------------------------------------|--------------------------------------------------------------------------
26 | .npmrc | NPM registry authentication data
27 | .dockercfg | Docker registry authentication data
28 | misc-keys/cert-key.pem | PEM Private key
29 | misc-keys/putty-example.ppk | PuTTYgen private key
30 | .ssh/id_rsa | Private ssh key
31 | .ssh/id_rsa.pub | Public ssh key (might still not be ideal)
32 | db/dump.sql | MySQL dump w/ bcrypt hashes
33 | cloud/.credentials | S3 Credentials file
34 | cloud/.s3cfg | S3 Credentials file
35 | cloud/.tugboat | Digital Ocean tugboat config
36 | cloud/heroku.json | Heroku config
37 | web/var/www/public_html/wp-config.php | WordPress config file
38 | web/var/www/public_html/.htpasswd | htpasswd file
39 | web/var/www/public_html/config.php | PHP application config file
40 | web/var/www/.env | Laravel .env (CI, various ruby based frameworks too)
41 | .git-credentials | Git credentials store
42 | .bashrc | .bashrc file (contains several secrets as environment variables)
43 | .bash_profile | .bash_profile file (contains several secrets as environment variables)
44 | db/robomongo.json | Mongolab credentials for robomongo
45 | db/mongoid.yml | Mongoid config file
46 | web/js/salesforce.js | Salesforce credentials in a nodejs project
47 | .netrc | netrc with SMTP credentials
48 | hub | Hub config that stores github tokens
49 | filezilla/filezilla.xml | Filezilla config file
50 | filezilla/recentservers.xml | Filezilla recent servers file
51 | .docker/config.json | Docker registry authentication file
52 | config | IRC config
53 | db/.pgpass | PostgreSQL file which contains passwords
54 | /proftpdpasswd | Usernames and passwords of proftpd created by cpanel
55 | ventrilo_srv.ini | Ventrilo configuration
56 | etc/shadow | Linux /etc/shadow file
57 | db/dbeaver-data-sources.xml | DBeaver config containing MySQL Credentials
58 | /.esmtprc | esmtp configuration
59 | .mozilla/firefox/logins.json | Firefox saved password collection (can be decrypted using keys4.db)
60 | web/django/settings.py | Django setup.py, contains valid secret key
61 | web/ruby/secrets.yml | Ruby on rails secrets.yml file (contains passwords)
62 | ruby/config/master.key | Rails master key (used for decrypting `credentials.yml.enc` for Rails 5.2+)
63 | deployment-config.json | Created by sftp-deployment for Atom, contains server details and credentials
64 | .ftpconfig | Created by remote-ssh for Atom, contains SFTP/SSH server details and credentials
65 | .remote-sync.json | Created by remote-sync for Atom, contains FTP and/or SCP/SFTP/SSH server details and credentials
66 | .vscode/sftp.json | Created by vscode-sftp for VSCode, contains SFTP/SSH server details and credentials
67 | sftp-config.json | Created by SFTP for Sublime Text, contains FTP/FTPS or SFTP/SSH server details and credentials
68 | .idea/WebServers.xml | Created by Jetbrains IDEs, contains webserver credentials with encoded passwords ([not encrypted!](https://intellij-support.jetbrains.com/hc/en-us/community/posts/207074025/comments/207034775))
69 | high-entropy-misc.txt | Misc high entropy strings (HES1 is plain, HES2 is base64)
70 |
71 | # Results
72 | We've tested a few tools and generated metrics for it. You can see how the tools tested so far stack up in [Benchmarking](https://github.com/Plazmaz/leaky-repo/tree/master/.leaky-meta/benchmarking)
73 | If there's a tool you'd like tested, please file an issue with details on it or create a PR. We are focused primarily on command-line based tools, but are also happy to accept results from web or GUI-based tools, as long as you include the full results and details about the tool.
74 |
75 | # Changelog
76 | You can see recent changes made in our [CHANGELOG.md file](https://github.com/Plazmaz/leaky-repo/blob/master/.leaky-meta/CHANGELOG.md) or under [Releases](https://github.com/Plazmaz/leaky-repo/releases). We use semantic versioning for releases.
77 |
78 | # Contact
79 | Got a question? Found something worth adding?
80 | [File an issue](https://github.com/Plazmaz/leaky-repo/issues)
81 | Have another reason to contact me? You can find me on Twitter:
82 | [@Plazmaz](https://twitter.com/Plazmaz)
83 |
84 |
85 | It's also worth noting that many of the original patterns used to find the filenames and examples of several secrets came from github-dorks, which is under tha [Apache 2.0 License](https://github.com/techgaun/github-dorks/blob/master/LICENSE). Also, for the sake of full disclosure, I am a maintainer on that project.
--------------------------------------------------------------------------------
/cloud/.credentials:
--------------------------------------------------------------------------------
1 | # AWS Credentials file
2 | [default]
3 | aws_access_key_id = yLryKGwcGc3ez9G8YAnjeYMQOc # Informative, can't be used alone
4 | aws_secret_access_key = nAH2VzKrMrRjySLlt8HCdFU3tM2TUuUZgh39NX
5 | [second-profile]
6 | aws_access_key_id = yLryKGwcGc3ez9G8YAnjeYMQOc # Informative, can't be used alone
7 | aws_secret_access_key = nAH2VzKrMrRjySLlt8HCdFU3tM2TUuUZgh39NX
8 |
--------------------------------------------------------------------------------
/cloud/.s3cfg:
--------------------------------------------------------------------------------
1 | secret_key = yLryKGwcGc3ez9G8YAnjeYMQOc # Sensitive
2 | access_key = nAH2VzKrMrRjySLlt8HCdFU3tM2TUuUZgh39NX # Informative
3 | host_base = s3.us-west-1.amazonaws.com
4 | host_bucket = dummy_bucket-9u3258hj.s3.us-west-1.amazonaws.com # Informative
5 | signature_v2 = False
6 | use_https = False
--------------------------------------------------------------------------------
/cloud/.tugboat:
--------------------------------------------------------------------------------
1 | ---
2 | authentication:
3 | client_key: 383c8164d4bdd95d8b1bfbf4f540d754 # Informative
4 | api_key: 3b6311afca5bd8aac647b316704e9c6d # Risk.
5 | ssh:
6 | ssh_user: admin # Informative
7 | ssh_key_path: "~/.ssh/deploy.pem"
8 | ssh_port: '22'
9 | defaults:
10 | region: nyc2
11 | image: ubuntu-18-04-x64
12 | size: '512mb'
13 | ssh_key: ''
14 | private_networking: 'false'
15 | backups_enabled: 'false'
--------------------------------------------------------------------------------
/cloud/heroku.json:
--------------------------------------------------------------------------------
1 | {
2 | "heroku": {
3 | "HEROKU_EMAIL": "heroku@example.com",
4 | "HEROKU_API_KEY": "7a2f9a4289e530bef6dbf31f4cbf63d5"
5 | }
6 | }
--------------------------------------------------------------------------------
/config:
--------------------------------------------------------------------------------
1 | # IRC config
2 | # Informative
3 | IRC_HOST=irc.example.com
4 | # Informative
5 | IRC_NAME="realname"
6 | IRC_PORT=6697
7 | # Informative
8 | IRC_NICK=nick
9 | # Risk
10 | IRC_PASS=irc_pass
--------------------------------------------------------------------------------
/db/.pgpass:
--------------------------------------------------------------------------------
1 | #hostname:port:database:username:password
2 | localhost:5432:database:root:password
--------------------------------------------------------------------------------
/db/dbeaver-data-sources.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
--------------------------------------------------------------------------------
/db/dump.sql:
--------------------------------------------------------------------------------
1 | -- MySQL dump 10.13 Distrib 8.0.1, for Linux (x86_64)
2 | --
3 | -- Host: 127.0.0.1 Database: main
4 | -- ------------------------------------------------------
5 | -- Server version 8.0.12
6 |
7 | /*!40101 SET @OLD_CHARACTER_SET_CLIENT=@@CHARACTER_SET_CLIENT */;
8 | /*!40101 SET @OLD_CHARACTER_SET_RESULTS=@@CHARACTER_SET_RESULTS */;
9 | /*!40101 SET @OLD_COLLATION_CONNECTION=@@COLLATION_CONNECTION */;
10 | /*!40101 SET NAMES utf8 */;
11 | /*!40103 SET @OLD_TIME_ZONE=@@TIME_ZONE */;
12 | /*!40103 SET TIME_ZONE='+00:00' */;
13 | /*!40014 SET @OLD_UNIQUE_CHECKS=@@UNIQUE_CHECKS, UNIQUE_CHECKS=0 */;
14 | /*!40014 SET @OLD_FOREIGN_KEY_CHECKS=@@FOREIGN_KEY_CHECKS, FOREIGN_KEY_CHECKS=0 */;
15 | /*!40101 SET @OLD_SQL_MODE=@@SQL_MODE, SQL_MODE='NO_AUTO_VALUE_ON_ZERO' */;
16 | /*!40111 SET @OLD_SQL_NOTES=@@SQL_NOTES, SQL_NOTES=0 */;
17 |
18 |
19 | CREATE TABLE IF NOT EXISTS `users` (
20 | `user_id` int(11) NOT NULL AUTO_INCREMENT,
21 | `username` varchar(255) DEFAULT NULL,
22 | `password` varchar(60) DEFAULT NULL,
23 | `flag` tinyint(10) DEFAULT NULL,
24 | PRIMARY KEY (`user_id`)
25 | ) ENGINE=MyISAM DEFAULT CHARSET=latin1 AUTO_INCREMENT=10001 ;
26 |
27 | --
28 | -- Dumping data for table `users`
29 | --
30 |
31 | INSERT INTO `users` (`user_id`, `username`, `password`, `flag`) VALUES
32 | (1, 'rogers63', '$2y$12$s.YfVZdfvAuO/Iz6fte5iO..ZbbEgreZnDcYOGvX4NGJskYQIstcG', 1),
33 | (2, 'mike28', '$2y$12$Sq//4hEpn1z91c3I/iU67.rqaHNtD3ucwG0Ncx7vOsHST4Jsr2Q0C', 0),
34 | (3, 'rivera92', '$2y$12$3iskP41QVYgh2GFesX2Rpe0DstoL9GpIsvYxM4VI24jcILuCha3O2', 1),
35 | (4, 'ross95', '$2y$12$hnktY9dEP/LexZjZ5b9B7ubzgxjO2393dWDaregvwPPaiRicOYkpu', 1),
36 | (5, 'paul85', '$2y$12$M593ZP8u9pOnJiBIUbyW1.r8KfCy8uv9UCgDlX2oj3OtHmibEsQie', 1),
37 | (6, 'smith34', '$2y$12$GEu9AWgT/Jf9Kgj/WEUanOkoa5OBC6W4cPkGeuVyROcS9T1U6orX.', 0),
38 | (7, 'james84', '$2y$12$hjrJNp/UijB4YKg5rMhDeOoqUT5Oe2T7pTfxCEgyfgYtrHC5ph36W', 0),
39 | (8, 'daniel53', '$2y$12$lipAFqG0QyyYKa.S16oTNOdFgkr3svEUx7JOl1HYU4m03oYFq89Uq', 1),
40 | (9, 'brooks80', '$2y$12$/jJGIYh9wizWMFIcu79TEucXzYtvRdn3YxUpGUKnoZT1B6Gv2taSm', 0),
41 | (10, 'morgan65', '$2y$12$kZ55ticjwXD9d/A5o3y8..fA7/1qycT2befZ4QrCjJCfrxk415gUy', 1);
42 |
--------------------------------------------------------------------------------
/db/mongoid.yml:
--------------------------------------------------------------------------------
1 | production:
2 | clients:
3 | default:
4 | uri: "mongodb://testuser:testpass@ds048537.mongolab.com:48537/main"
--------------------------------------------------------------------------------
/db/robomongo.json:
--------------------------------------------------------------------------------
1 | {
2 | "autoExec" : true,
3 | "autoExpand" : true,
4 | "autocompletionMode" : 1,
5 | "batchSize" : 50,
6 | "connections" : [
7 | {
8 | "connectionName" : "New Connection",
9 | "credentials" : [
10 | {
11 | "databaseName" : "main",
12 | "enabled" : false,
13 | "userName" : "mongouser",
14 | "userPassword" : "mongopass"
15 | }
16 | ],
17 | "defaultDatabase" : "main",
18 | "serverHost" : "localhost",
19 | "serverPort" : 27017,
20 | "sshAuthMethod" : 0,
21 | "sshHost" : "localhost",
22 | "sshPassphrase" : "SSHPass123",
23 | "sshPort" : 22,
24 | "sshPrivateKey" : "",
25 | "sshPublicKey" : "",
26 | "sshUserName" : "root",
27 | "sshUserPassword" : "roboMongoSSHPass",
28 | "sslEnabled" : false,
29 | "sslPemKeyFile" : ""
30 | }
31 | ],
32 | "disableConnectionShortcuts" : false,
33 | "lineNumbers" : true,
34 | "loadMongoRcJs" : true,
35 | "style" : "Native",
36 | "timeZone" : 0,
37 | "toolbars" : {
38 | "connect" : true,
39 | "exec" : true,
40 | "explorer" : true,
41 | "logs" : false,
42 | "open_save" : true
43 | },
44 | "uuidEncoding" : 0,
45 | "version" : "1.0",
46 | "viewMode" : 1
47 | }
--------------------------------------------------------------------------------
/deployment-config.json:
--------------------------------------------------------------------------------
1 | {
2 | "type": "sftp",
3 | "host": "example.com",
4 | "username": "root",
5 | "password": "hunter22",
6 | "port": 22,
7 | "remotePath": "/var/www",
8 | "uploadOnSave": true
9 | }
--------------------------------------------------------------------------------
/etc/shadow:
--------------------------------------------------------------------------------
1 | root::17431:0:99999:7:::
2 | daemon:*:17431:0:99999:7:::
3 | bin:*:17431:0:99999:7:::
4 | sys:*:17431:0:99999:7:::
5 | sync:*:17431:0:99999:7:::
6 | games:*:17431:0:99999:7:::
7 | man:*:17431:0:99999:7:::
8 | lp:*:17431:0:99999:7:::
9 | mail:*:17431:0:99999:7:::
10 | news:*:17431:0:99999:7:::
11 | uucp:*:17431:0:99999:7:::
12 | proxy:*:17431:0:99999:7:::
13 | www-data:*:17431:0:99999:7:::
14 | backup:*:17431:0:99999:7:::
15 | list:*:17431:0:99999:7:::
16 | irc:*:17431:0:99999:7:::
17 | gnats:*:17431:0:99999:7:::
18 | nobody:*:17431:0:99999:7:::
19 | sshd:*:17431:0:99999:7:::
20 | ubuntu:$6$LnUhhUi45srUKt9i$4Hp6VRTOB2mxvsYH8mwsCfBryg6hCbm4JJjV26KplN8ewZ7EUVqQDkLKDW.O8XRHx.B76JkwXtyD3wnAXEuZN1:0:99999:7:::
--------------------------------------------------------------------------------
/filezilla/filezilla.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 | example.com
7 | 21
8 | 0
9 | 0
10 |
11 | root
12 |
13 | ExamplePas123
14 | example.com
15 | 4
16 | 0
17 | MODE_DEFAULT
18 | 0
19 | Auto
20 | 0
21 | example.com
22 |
23 |
24 |
25 | 0
26 |
27 |
28 |
--------------------------------------------------------------------------------
/filezilla/recentservers.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 | localhost
7 | 21
8 | 0
9 | 0
10 |
11 | root
12 |
13 | NjllNWU5ZWMwZDU0MmU5Y2QwOTY4MWM5YzZhMDdkYWVmNjg3OWE3MDMzM2Q4MWJmCg==
14 | 1
15 | 0
16 | MODE_DEFAULT
17 | 0
18 | Auto
19 | 0
20 |
21 |
22 |
23 | localhost
24 | 22
25 | 1
26 | 0
27 |
28 | root
29 |
30 | NjllNWU5ZWMwZDU0MmU5Y2QwOTY4MWM5YzZhMDdkYWVmNjg3OWE3MDMzM2Q4MWJmCg==
31 | 1
32 | 0
33 | MODE_DEFAULT
34 | 0
35 | Auto
36 | 0
37 |
38 |
39 |
--------------------------------------------------------------------------------
/high-entropy-misc.txt:
--------------------------------------------------------------------------------
1 | HES1:7IWGVUX901XHS5TAS7F5S19EI78WY474C1F92IEANMHEXDM7U80JRK76YFKDV16L
2 | HES2:SzdER1E3RlVRM0FEMFZYS0tIM0lEMExCWkgxSEhUSU5ZOFBER1hQQjdDUTVENUhZTVRKWEw3VDlCOVo0VDc5MAo=
--------------------------------------------------------------------------------
/hub:
--------------------------------------------------------------------------------
1 | ---
2 | github.com:
3 | - user: ocotcat
4 | oauth_token: "7f9cc25de23d1a255720b0ae4551f4044d600f46"
5 |
--------------------------------------------------------------------------------
/misc-keys/cert-key.pem:
--------------------------------------------------------------------------------
1 | -----BEGIN PRIVATE KEY-----
2 | MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDAbhr5Ivji3OE5
3 | NynIbnH20oXgMZ0B3DoDq2CY/crgWfzpiC6+LExbY7qZE/9mF/ttLu6nEaGs2jsb
4 | B7y4pGF059sgbd4TU+J/aZwb6I7Uh7rb7t6pOx8g6wBtXHS7yAgKjeodJZqBB+Nz
5 | XQoGvTRBHKdJgO7mK3WdVvPIFNZj+vMjlThADqu6Koh3dQ33OOk8y+c+fX7NRg77
6 | R/Ssmwpf2uOX9ZdygmFTjHia4INiY/z3LkmvyJ4gTL2xfiOQSi+ZUwq9qiNEqey7
7 | udGo7tH1pW+6OOdwdm4iUxTEU5VVt4xDGZBR302odBQBMWsP5w0LZePTIoWa1/Li
8 | xuQg016PAgMBAAECggEABZBpeUC4n56xaH0e2SvQYcmuk0/78TzT9J00+teD0T7o
9 | 4DvO1jLjtlTI5Xo9jU8uNvb/cZdB7ISW5u4vV8txAfdeT669mCN5ziNYnzn3P0/5
10 | aDic+Zm7CbGh3oeo3HEpQlzeIx+eOxLmUcSj8JPx+dwBPk/bGI6zJOyJugRYOqXP
11 | HxG1jRYiFuIzpYqtkT15yA5Qruz3XNgdhffraVcujzi/ha6Zj8oGKvxfTgaK+KnQ
12 | WgAstgVy2a1/AX94m1gpYLyscTaZekNcDohABaFRwQgz0jWBUNfcazb3Wo4LRU/2
13 | Kaf7+TYallpLIs/yZPepWutwxXjKBleUvxwr6LJjwQKBgQDnp936Mzm9fGPrBOIv
14 | 7+lQpe10CYcMySMyWu/rwpTPJLnNoJSZMdT0s3hSRdOca1QMpD1BLT94BckygPVQ
15 | ARrC2TFNJuFmEqCp1G8+Jjuz/zfYDJzcEzGTRZTMF1T41Zgktp9MSAan9aIkc5Bc
16 | /72MC5TqVqdGI8SO69m64WK14QKBgQDUpvfeKYOUztNgjjlJTY2Zu7xxJeEyacvQ
17 | DSsiAZXZGXMfGDCY4X5Ia1HZAXLluK25gGWFlDYVmvCbIZwhZb5BQ7RtOW3/rfAX
18 | SIQvjvJsZ18FuQxezel/QmpzKNIN7g50Kfm1OCwpWhSa+JxvEi5S2rGKLpevcF/X
19 | PXSn+3LCbwKBgGFW5i1F7RMz+4A7kxd1heI/dqF1h2vV8JYuI/Y60vCfi/tdaFNe
20 | 3w7bgsl/UcW+S5jsQljqvGqgc8Rm761oaWhKfy7eEYQke6IhA4Vn51pg+YQs+JR4
21 | 9DHf4QBJJYlRpxZ2LkWNVk6pJjKO5LBPPcRk8XPuaWdNjEBJ1jlyj1nBAoGAKX2m
22 | cSdib/9myLkXPlEuZqd1nhII/WAdDyvylYD/rstDZfa/TKT6kcC2yIN62o2M/9uo
23 | c0a2wsJnXa1SHEYQuAUwx/rjlnZmmPRiLjFS5YnJxYEUg87jVxwrTurRCTzAfzPN
24 | b+lU3ICh8pa9VwKSHUJkT5TFrcpcOM/Z2gi6nGsCgYEAuPIrct3AMUPp97FZufb+
25 | 5Wppz+lFNjwuNpMDp1qMVqfGyZtlCSdWAY6jepeoS94d3c8iSVVDe+o7Mn3fCWzw
26 | BxUw6qZGPnRG+9sgplZyXZyebwEPfwI+AacsCpnhwB+srBWfjBNF2I1/CwynFkQF
27 | oS6nDkCtJF50fFdawQoU4eQ=
28 | -----END PRIVATE KEY-----
29 |
--------------------------------------------------------------------------------
/misc-keys/putty-example.ppk:
--------------------------------------------------------------------------------
1 | PuTTY-User-Key-File-2: ssh-rsa
2 | Encryption: none
3 | Comment: dummy-key
4 | Public-Lines: 6
5 | AAAAB3NzaC1yc2EAAAABJQAAAQEAm5d5/daeAzNGKouE5k55gfHvpXzosIDIJgrq
6 | TN7ADDyYdNSKqQt3bukQPsjDx9kHhO5VoRGiwnf4mFuLDWDGaGM08IIoTOa/coap
7 | bJe2Ssn/IlW/8dwh9dba+ySxDIOi+2T9zDRCfNfbu5I5reBf3YvUOKvTh2vzEkL0
8 | vl0iu/gAu8bpz1vxEntTtgZqSrqWQClMa1Fic3K/ryj/7zVt2/5RvgTXVOSX7mro
9 | uMfp5+0H1Is7wlwXW0bH3C5HTefVI50jdC0SRXRC7hjMT0ER9Mi88Ug4wBOXgrGq
10 | 0qhBbwkbgdZpBBDKo/ES1RntRE4XSQbf2VYk3pQiIAd90KkwgQ==
11 | Private-Lines: 14
12 | AAABAQCO+eW40w29wGn9lPaqHpkrTQW6qiHuTNOYlGiZqhhCmIwYVJsX4QX3NwgC
13 | V58mWLrNLgl/QKNml8HYHMT3iVxf7HXWFr0/v0gkDQpjya5uPRP2CZuf+rdsSOTm
14 | x8VJxRJOy4FviffoV6dSarGLBYiGZNDaIVqYHgH1Gu68xEluc7/xxb+DnA23fkLc
15 | mi0SUuxTbRBozM7Su8GfueSKbDkIcvrcxHOVITdmHw6capIPU4+drVxDFV+yfuUs
16 | n1+pK7Wp/QQdkTphFjtM+xo8FKt1yobObI7hHgt2O+qt+qyAbAtYJQkKxxR6QffE
17 | vIwe8W3exS8KLkfs3LYgelHi6JAVAAAAgQDflwoez1BhFKlYDd79WZJbvvDnUpZ9
18 | uW/CiG1SiXu/vupxlynrhIhmo0l2bboXW06KMiPAowaYSB4SnGVOm/8jERwzKDjp
19 | zR0yrBAgrfXP/7M8PXhibMEFPJaMYQprt2L+Jz4if1U3jocQ8biQgEJ9OSSH3//s
20 | sFemXUx6OF4vJwAAAIEAsiUpXHhaNcUx/jCOtF03ZoDJPKau1npUyI+AcO002XXD
21 | 7UWqyGLHGqdK8XOo6E7DjoXfh6knpf4XFjTfTNQqEgaxXMJdpSzN7desHiOtPBME
22 | ZnjSK8fA7zZhceF2dFkSa1yOFwgQGuq4zpxX8XUyC+jAd5tvJiTx8cyQQRJN7BcA
23 | AACAVbulIVG0cO2b/JGtma0215L6tEaYYDPcbmpaEmNAhFZsD3ojWgMpu7Dd2UEH
24 | uuPgRUXbKRGS/S4O/a5U7zjP7eVPxH4GMVIOgdwYec4PK6U2PzcUVwzehSCc4pQ+
25 | iZUJWuI2smSEUUF3eIfuMB943Qfsfd4oXahVPNlBCBR4Eck=
26 | Private-MAC: 6730c52e494d4aba1191485053ca6f47bb619d2b
27 |
--------------------------------------------------------------------------------
/proftpdpasswd:
--------------------------------------------------------------------------------
1 | root:$6$LnUhhUi45srUKt9i$4Hp6VRTOB2mxvsYH8mwsCfBryg6hCbm4JJjV26KplN8ewZ7EUVqQDkLKDW.O8XRHx.B76JkwXtyD3wnAXEuZN1:3044:3045::/home/root:/bin/ftpsh
--------------------------------------------------------------------------------
/sftp-config.json:
--------------------------------------------------------------------------------
1 | {
2 | "type": "sftp",
3 |
4 | "save_before_upload": true,
5 | "upload_on_save": false,
6 | "sync_down_on_open": false,
7 | "sync_skip_deletes": false,
8 | "sync_same_age": true,
9 | "confirm_downloads": false,
10 | "confirm_sync": true,
11 | "confirm_overwrite_newer": false,
12 |
13 | "host": "example.com",
14 | "user": "root",
15 | "password": "hunter22",
16 | "port": "22",
17 |
18 | "remote_path": "/var/www/html/",
19 | "ignore_regexes": [
20 | "\\.sublime-(project|workspace)", "sftp-config(-alt\\d?)?\\.json",
21 | "sftp-settings\\.json", "\\.git/", "\\.DS_Store", "Thumbs\\.db",
22 | "desktop\\.ini"
23 | ],
24 | "connect_timeout": 30
25 | }
--------------------------------------------------------------------------------
/ventrilo_srv.ini:
--------------------------------------------------------------------------------
1 | [Server]
2 |
3 | Name=Server
4 | Phonetic=Server
5 | Auth=1
6 | Duplicates=1
7 | AdminPassword=AdminPassword123
8 | Password=UserPassword123
9 | SendBuffer=0
10 | RecvBuffer=0
11 | Diag=0
12 | LogonTimeout=5
13 | CloseStd=1
14 | TimeStamp=0
15 | PingRate=10
16 | ExtraBuffer=0
17 | ChanWidth=0
18 | ChanDepth=0
19 | ChanClients=0
20 | DisableQuit=0
21 | VoiceCodec=3
22 | VoiceFormat=32
23 | SilentLobby=0
24 | AutoKick=0
--------------------------------------------------------------------------------
/web/django/settings.py:
--------------------------------------------------------------------------------
1 | """
2 | Django settings for leaky-repo project.
3 |
4 | Generated by 'django-admin startproject' using Django 1.10.
5 |
6 | For more information on this file, see
7 | https://docs.djangoproject.com/en/1.10/topics/settings/
8 |
9 | For the full list of settings and their values, see
10 | https://docs.djangoproject.com/en/1.10/ref/settings/
11 | """
12 |
13 | import os
14 |
15 | # Build paths inside the project like this: os.path.join(BASE_DIR, ...)
16 | BASE_DIR = os.path.dirname(os.path.dirname(os.path.abspath(__file__)))
17 |
18 |
19 | # Quick-start development settings - unsuitable for production
20 | # See https://docs.djangoproject.com/en/1.10/howto/deployment/checklist/
21 |
22 | # SECURITY WARNING: keep the secret key used in production secret!
23 | # Risk
24 | SECRET_KEY = 'zh!=!gq(w^_t[sBR29954x)HI+$ehwss*xYNQeu([xcWMhdzzr'
25 |
26 | # SECURITY WARNING: don't run with debug turned on in production!
27 | DEBUG = True
28 |
29 | ALLOWED_HOSTS = ['*']
30 |
31 |
32 | # Application definition
33 |
34 | INSTALLED_APPS = [
35 | 'django.contrib.admin',
36 | 'django.contrib.auth',
37 | 'django.contrib.contenttypes',
38 | 'django.contrib.sessions',
39 | 'django.contrib.messages',
40 | 'django.contrib.staticfiles',
41 | ]
42 |
43 | MIDDLEWARE = [
44 | 'django.middleware.security.SecurityMiddleware',
45 | 'django.contrib.sessions.middleware.SessionMiddleware',
46 | 'django.middleware.common.CommonMiddleware',
47 | 'django.middleware.csrf.CsrfViewMiddleware',
48 | 'django.contrib.auth.middleware.AuthenticationMiddleware',
49 | 'django.contrib.messages.middleware.MessageMiddleware',
50 | 'django.middleware.clickjacking.XFrameOptionsMiddleware',
51 | ]
52 |
53 | ROOT_URLCONF = 'helloworld.urls'
54 |
55 | TEMPLATES = [
56 | {
57 | 'BACKEND': 'django.template.backends.django.DjangoTemplates',
58 | 'DIRS': [],
59 | 'APP_DIRS': True,
60 | 'OPTIONS': {
61 | 'context_processors': [
62 | 'django.template.context_processors.debug',
63 | 'django.template.context_processors.request',
64 | 'django.contrib.auth.context_processors.auth',
65 | 'django.contrib.messages.context_processors.messages',
66 | ],
67 | },
68 | },
69 | ]
70 |
71 | WSGI_APPLICATION = 'helloworld.wsgi.application'
72 |
73 |
74 | # Database
75 | # https://docs.djangoproject.com/en/1.10/ref/settings/#databases
76 |
77 | DATABASES = {
78 | 'default': {
79 | 'ENGINE': 'django.db.backends.sqlite3',
80 | 'NAME': os.path.join(BASE_DIR, 'db.sqlite3'),
81 | }
82 | }
83 |
84 |
85 | # Password validation
86 | # https://docs.djangoproject.com/en/1.10/ref/settings/#auth-password-validators
87 |
88 | AUTH_PASSWORD_VALIDATORS = [
89 | {
90 | 'NAME': 'django.contrib.auth.password_validation.UserAttributeSimilarityValidator',
91 | },
92 | {
93 | 'NAME': 'django.contrib.auth.password_validation.MinimumLengthValidator',
94 | },
95 | {
96 | 'NAME': 'django.contrib.auth.password_validation.CommonPasswordValidator',
97 | },
98 | {
99 | 'NAME': 'django.contrib.auth.password_validation.NumericPasswordValidator',
100 | },
101 | ]
102 |
103 |
104 | # Internationalization
105 | # https://docs.djangoproject.com/en/1.10/topics/i18n/
106 |
107 | LANGUAGE_CODE = 'en-us'
108 |
109 | TIME_ZONE = 'UTC'
110 |
111 | USE_I18N = True
112 |
113 | USE_L10N = True
114 |
115 | USE_TZ = True
116 |
117 |
118 | # Static files (CSS, JavaScript, Images)
119 | # https://docs.djangoproject.com/en/1.10/howto/static-files/
120 |
121 | STATIC_URL = '/static/'
122 | STATIC_ROOT = os.path.join(BASE_DIR, 'staticfiles')
--------------------------------------------------------------------------------
/web/js/salesforce.js:
--------------------------------------------------------------------------------
1 | let jsforce = require('jsforce');
2 | // Salesforce creds inline in code.
3 |
4 | function sfQuery(queryString, success, error){
5 | let conn = new jsforce.Connection();
6 | // Security Risk!
7 | conn.login('username@example.com', 'salesforcepassword', function(err, res) {
8 | if (err) {
9 | error(err);
10 | console.error(err);
11 | }
12 | conn.query('SELECT Id FROM User', function(err, res) {
13 | if (err) {
14 | error(err);
15 | console.error(err);
16 | }
17 | success(res);
18 | });
19 | });
20 | }
21 |
--------------------------------------------------------------------------------
/web/ruby/config/master.key:
--------------------------------------------------------------------------------
1 | 3ebf21f8e5d1ab86b27a720842c3bb56
--------------------------------------------------------------------------------
/web/ruby/secrets.yml:
--------------------------------------------------------------------------------
1 | # Be sure to restart your server when you modify this file.
2 |
3 | # Your secret key is used for verifying the integrity of signed cookies.
4 | # If you change this key, all old signed cookies will become invalid!
5 |
6 | # Make sure the secret is at least 30 characters and all random,
7 | # no regular words or you'll be exposed to dictionary attacks.
8 | # You can use `rake secret` to generate a secure secret key.
9 |
10 | # Make sure the secrets in this file are kept private
11 | # if you're sharing your code publicly.
12 |
13 | development:
14 | secret_key_base: e0ec946fcefea5ce0d4d924f3c8db11dffeb7d10b320a69133c47a9641ab7d204d22c94f10c1ce1e187c643805fec5b2d2ba322c17bac533c110e6c6378ba84c
15 |
16 | test:
17 | secret_key_base: 96dc2e349b1236b9e5915f1526b5e28e19a6557a88026007632c6c11da7cb5952ae55c520eb0d6fa78b972cbe8e855887f539edea5f969636792e54469e3c96e
18 |
19 | # Do not keep production secrets in the repository,
20 | # instead read values from the environment.
21 | production:
22 | secret_key_base: 8969518770d7484053e72f09c7bd37995d79c320e618ce3ec7a44b7c43fafff1615622a01513789bff7ac7a5201c6382bb6851632c8aa63e76bf0f0a01ed0e17
--------------------------------------------------------------------------------
/web/var/www/.env:
--------------------------------------------------------------------------------
1 | # Laravel .env file. Can contain some SUPER sensitive stuff.
2 | APP_ENV=local
3 | APP_DEBUG=true
4 | # Risk
5 | APP_KEY=base64:4StV8PVvCLC6gkJXgGdkYdlWW0suqjb2sj0QvDHx3Hsn
6 |
7 | # Informative
8 | DB_HOST=localhost
9 | # Informative
10 | DB_DATABASE=main
11 | # Informative
12 | DB_USERNAME=root
13 | # Risk
14 | DB_PASSWORD=admin123
15 |
16 | CACHE_DRIVER=file
17 | SESSION_DRIVER=file
18 | QUEUE_DRIVER=sync
19 |
20 | #Informative
21 | REDIS_HOST=localhost
22 | # Risk
23 | REDIS_PASSWORD=RedisPass1!
24 | REDIS_PORT=6379
25 |
26 | MAIL_DRIVER=smtp
27 | # Informative
28 | MAIL_HOST=smtp.gmail.com
29 | MAIL_PORT=587
30 | # Informative
31 | MAIL_USERNAME=user@example.com
32 | # Risk
33 | MAIL_PASSWORD=Mailpass1234!
34 | MAIL_ENCRYPTION=tls
--------------------------------------------------------------------------------
/web/var/www/public_html/.htpasswd:
--------------------------------------------------------------------------------
1 | admin:$apr1$tp8glkbm$fjg65tI1eipoBh62aEjIy0
--------------------------------------------------------------------------------
/web/var/www/public_html/config.php:
--------------------------------------------------------------------------------
1 |
--------------------------------------------------------------------------------
/web/var/www/public_html/wp-config.php:
--------------------------------------------------------------------------------
1 | M%0Vl 2(#o0|2$cB+K|.G$hB~4`Juw@]:(5;oVUl<Y9.5Ch0-3cq|=vbus[IeF(OJ9yZ|SQ#:iG;NSa+GJmj _1Ed(cVZ7r#+JMlA,S');
36 | # Risk
37 | define('LOGGED_IN_KEY', 'Q$:B]zZjN-AdT<>h7V1.vm+k^|}2wVZf]Xw#QEZ[-pSohv+Kj0W-Z|:|g$-+E8:8');
38 | # Risk
39 | define('NONCE_KEY', '}Fi>>0a{> akEdJ1K3c}([(:x;K[)ZQ3F3cttcpd EFORd.%R|*|rdRs#-L-&)P1');
40 | # Risk
41 | define('AUTH_SALT', 'j@cGIZJfObpPU);AZgYH5,ubbSlUp|ZnLZNlq|;tkFe5xc(=_0[LKbF71T.EE ~9');
42 | # Risk
43 | define('SECURE_AUTH_SALT', 'Ed&1cr+{3T$a+{[8LP~i5-[|Z`x-V>;Di_C/E~UnSg{n[h#{D[-t>yIUZ8YqSu3t');
44 | # Risk
45 | define('LOGGED_IN_SALT', 'of@~yp:v@SK;Y}hzUo4=bz9WmX&vEw5TO dD$<2djGcE+Qz,Sb9i:{+U<#eM-RmE');
46 | # Risk
47 | define('NONCE_SALT', ':9URM*n56|I|Rf$|ud0cFJ+Lq&j9^-!{%%pW. ,Z=');
48 |
49 |
50 | /* Absolute path to the WordPress directory. */
51 | if ( !defined('ABSPATH') )
52 | define('ABSPATH', dirname(__FILE__) . '/');
53 |
54 | /* Sets up WordPress vars and included files. */
55 | require_once(ABSPATH . 'wp-settings.php');
--------------------------------------------------------------------------------